World events, such as the COVID-19 pandemic, have accelerated the need for business operations to grow more digitally reliant and driven. As the global network grows and becomes more interconnected, privacy and data-protective measures have become a paramount consideration for business organizations in response to ensuing frequent and highly publicized data breaches. Given that the current pace of technological advances and innovation is expected to continue, it is important for companies to understand the security safeguards and regulations in place to protect their privacy and data. It is also important for companies to be mindful of relevant legislation and regulations on the horizon to address the pressing privacy and data challenges facing business operations everywhere.
In this roundup of key takeaways from Morgan Lewis’s Technology Marathon and Asia Technology Innovation webinar series, we take a look at the patchwork of privacy and data laws and legislation developing in the United States, United Kingdom, Europe, and China.
1. US Data Privacy Developments
2. Europe Data Privacy Developments
3. China’s Privacy Regime
US DATA PRIVACY DEVELOPMENTS
The privacy legislative landscape is active on the US front, with data privacy laws taking effect in California, Virginia, Colorado, Utah, and Connecticut throughout 2023.
- California Privacy Rights Act, effective January 1, 2023
- Virginia Consumer Data Protection Act, effective January 1, 2023
- Colorado Privacy Act, effective July 1, 2023
- Connecticut Data Privacy Act, effective July 1, 2023
- Utah Consumer Privacy Act, effective December 31, 2023
With the new year only months away, it is prime time to be thinking about compliance with the varying requirements and the scope of one’s business obligations under these privacy laws. In addition to the five above states, nearly a dozen others are actively debating imposing a comprehensive privacy law. Morgan Lewis is tracking developments in all 50 states in its US Privacy and Data Protection Law Tracker as new data privacy legislation is proposed, enacted, and amended.
Currently, the United States does not have a federal data privacy law. While several federal bills have been proposed over the years, none have been successful. In May 2022, a bipartisan group of legislators introduced the American Data Privacy and Protection Act, which includes federal preemption of state laws with some exceptions, such as a limited private right of action for certain privacy violations. The chances of the act’s passage remain unclear, but there has been some noteworthy movement with a draft of the legislation being circulated on Capitol Hill and among key industry stakeholders.
Biometric Data Privacy
Currently, only Illinois, Texas, and Washington have enacted biometric privacy laws, although in 2022 new biometric laws were considered in at least eight states. Most often, the Illinois Biometric Data Privacy Act seems to serve as the inspiration for developing legislative activity in this space. It is likely that states without biometric legislation will look to the Illinois law as a model. In some instances, localities such as New York City have regulated the collection and use of biometric data.
In our recent Technology Marathon presentation, “New State Consumer Privacy Laws,” we discuss the latest developments in state consumer privacy legislation and consider how businesses can meet the challenges of a US privacy regulatory landscape that is growing increasingly complex.
Media Module – Datasource Item: New State Consumer Privacy Laws
US Congressional Activity Related to Privacy
In addition to the American Data Privacy and Protection Act mentioned above, there have been recent privacy and data security developments on Capitol Hill and at the Federal Communications Commission and Federal Trade Commission (FTC).
For instance, the Computer Fraud and Abuse Act (CFAA) is one of the very few statutes that addresses privacy and data protection from a federal level, where it imposes criminal and civil liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” Website owners have used the CFAA as a method to protect themselves from unauthorized scraping of data and other information from their website(s).
Additionally, a recent US Court of Appeals for the Ninth Circuit ruling upheld that the data scraping of public websites is not unlawful. On April 18, 2022, the Ninth Circuit affirmed its previous decision that plaintiffs may not use the CFAA as a deterrent to keep third parties from data scraping their websites.
The following is a list of recently introduced privacy-related legislation, although it remains to be seen whether such will progress:
- Banning Surveillance Advertising Act of 2022: Prohibits targeted advertising under certain circumstances.
- Online Privacy Act of 2021:
- Opt-in consent required for disclosure and sale of personal information (PI)
- Requires data minimization and reasonable cybersecurity practices
- Establishes the right to access, correct, delete, and port data
- Would create a federal digital-privacy agency
- Informing Consumers about Smart Devices Act: Imposes disclosure obligations on manufacturers of Internet of Things devices that include cameras and microphones.
- Algorithmic Accountability Act: Mandates that the FTC require impact assessments of automated decision systems.
- Protecting Consumer Information Act: Requires the FTC to consider whether it needs to revise its data security standards applicable to consumers’ financial information to protect such data from cybersecurity threats.
In our recent Technology Marathon presentation, “Hot Privacy and Data Security Issues on the Hill and at the FCC and FTC,” we consider legislative initiatives and priorities of the FCC and FTC in this space. We also examine the continuing evolution of Telephone Consumer Protection Act litigation, recent developments concerning the interpretation of the Computer Fraud and Abuse Act, and other timely topics.
Media Module – Datasource Item: Hot Privacy and Data Security Issues on the Hill and at the FCC and FTC
EUROPE DATA PRIVACY DEVELOPMENTS
The United States in many ways is playing catch-up to certain data privacy regulations that are already in place in Europe. In 2022, there have been a number of new developments in data privacy across Europe, particularly as governments and regulators continue their acute focus on cross-border data transfers, along with updates to the Privacy Shield 2.0 and requirements for data transfers. In addition, we saw the United Kingdom’s new proposed Privacy Bill, which sets out to amend some of the United Kingdom’s obligations under the EU General Data Protection Regulation (GDPR) post-Brexit, but there does not appear to be any proposed dilution of privacy rights and obligations, meaning that the United Kingdom is likely to retain adequacy with the European Union.
EU Regulatory Activity
In April 2022, the French Blocking Statute was amended to include requirements for French companies receiving discovery requests to report them to French authorities and provide them with more information to evaluate those requests. The French Blocking Statute was originally enacted as a level of protection for French businesses and individuals against requests for information from other nations. It prohibits the disclosure of information that would harm the security or economic interests of France, unless already allowed under an existing treaty.
Privacy Shield 2.0
The Trans-Atlantic Data Privacy Framework (TADPF) was announced in February 2022. Although details have yet to be released on the TADPF, it will likely:
- include new safeguards to limit access to data by US surveillance agencies,
- include a two-tier redress system to investigate and resolve complaints of EU individuals on access of data by US surveillance agencies, which includes an independent Data Protection Review Board, and
- enhance oversight of intelligence activities.
If the European Commission and US government agree to the TADPF, the approval process will commence and could anticipate an EU Adequacy Decision by early 2023. In the meantime, data importers and exporters may want to rely on other data transfer tools, such as the new EU Standard Contractual Clauses, or, in rare instances, derogations under Article 49 of the GDPR, such as individual, specific consents.
Standard Contractual Clauses
According to the GDPR, contractual clauses establishing the appropriate data protection safeguards can be used as a method for data transfers from the European Union to third countries. This includes contract clauses—so-called Standard Contractual Clauses (SCCs)—that have been preapproved by the European Commission. In June 2021, the European Commission issued modernized SCCs that replaced the three sets of SCCs, which had been adopted under the previous Data Protection Directive 95/46, to now include four modules. These include “docking clauses,” which provide the flexibility to add additional parties (e.g., subprocessors) in the future.
Organizations should take note that after December 27, 2022, they cannot lawfully rely on prior SCCs to transfer data to the United States and other countries without an adequacy decision. Following Brexit, the United Kingdom is on a different regime. For transfers from the United Kingdom, existing SCCs can be used for new processing arrangements until September and referenced until March 2024.
Data Transfer Impact Assessments
Businesses with international operations and many companies, including small- to medium-sized enterprises, that rely on foreign providers should be concerned with complying with the requirements of a Transfer Impact Assessment (TIA) before transferring data to third countries. A relatively new term to the privacy world, a TIA stems from Clause 14 of the new SCCs. Conducting a TIA can be complicated, especially given the fact that there are no general standards and no template provided by the European Commission to help complete the process. The assessment consists of several components, including a risk analysis, asking for difficult determinations to be made that require a deep dive into US law, which European exporters may not be in a position to conduct.
Data Subject Access Requests
Over the last couple of years, privacy laws such as GDPR and CCPA have smoothed the path for individuals to learn how companies are using and processing their personal information. Consumers can obtain this information by making data subject access requests (DSARs). For companies, responding to DSARs can be a tedious process, so it is important to be mindful of the scope of access rights granted by privacy laws across jurisdictions, as well as the response deadlines that can range from one month to 45 days. Of equal significance is familiarity with data sources. While it can be difficult to identify the systems where data can reside and extract this information from those sources, companies gearing up for compliance need to be familiar with their data systems. Reasonable measures should be used to verify the identity of a data subject, and personal information should only be released in a secure manner after verifying the request.
Next year is anticipated to be a significant year for DSARs in the United States, with a likely expansion of rights beyond California into other states in 2024. US companies can learn from GDPR/UK GDPR guidance and experiences, including from the UK Information Commissioner’s Office’s guidelines on requesting compliance and from the European Data Protection Board’s guidelines on data subject rights.
In our recent Technology Marathon presentation, “Hot Topics in Data Privacy,” we cover the latest data privacy developments.
Media Module – Datasource Item: Hot Topics in Data Privacy
CHINA’S PRIVACY REGIME
Multinational tech companies handle significant amounts of often potentially sensitive personal data. The three most critical legal frameworks for data protection affecting global tech companies in China are the Cybersecurity Law (CSL), which took effect in 2017, and the Data Security Law (DSL) and Personal Information Protection Law (PIPL), both of which took effect in 2021. These laws demonstrate the Chinese government’s aim in enhancing data protection supervision, specifically with respect to data that will impact data security and national security. Over the last year, a series of guiding regulations and national standards have been rolled out, further clarifying the new regulatory requirements. This includes most recently the Security Assessment Measures for Cross-Border Data Transfers. Effective from September 1, 2022, these apply to corporations transferring data from China to overseas countries/regions, with a six-month grace period for companies to take remedial actions to complete the government security assessment as required.
Issues Affecting Multinational Technology Companies
- The Chinese data protection laws require companies acting as data handlers (a concept under the PIPL, similar to data controllers under the EU General Data Protection Regulation) to obtain informed and separate consents from the data subjects for the collection, processing, and cross-border transfer of personal information (limited exceptions apply).
- For data localization and cross-border transfers, a security assessment by the Cyberspace Administration of China, certification by a qualified institution, or standard contract may be required, depending on the types and volume of the data to be cross-border transferred.
- Global tech companies must also comply with the Multi-Level Protection Scheme (MLPS), developed to identify the nature of systems deployed and data handled in China, and whether and to what extent it could raise cybersecurity concerns.
- Specific Regulations on Mobile Applications (Apps): Technology sector–specific regulations follow the general principles of the PIPL, DSL, and CSL but impose additional privacy and cybersecurity obligations.
Proactive Steps to Mitigate Compliance Risks
- Perform data mapping to understand categories and location of data and identify important data, personal information, and sensitive personal information that the company is processing.
- Perform a gap analysis of the current data-related policies, both internal employee notices and external-facing privacy notices and policies, to comply with the informed consent requirements.
- Establish a risk assessment process for major data processing activities, covering the processing of important data, (sensitive) personal information, and cross-border data transfers, including the internal assessment and government reporting obligations.
- Conduct the MLPS as soon as possible.
- Understand the localization requirements and (if required) implement localized storage within China.
- Understand any app-specific requirements and take actions to be fully compliant.
China’s dynamic data protection regime continues to evolve. Regardless of the size of the entity operating in China, these developments will have an impact on nearly every company doing business in China, as the regulations protect all information from customer data to employee-hiring documents.
In our recent Asia Technology Innovation Series presentation, “China’s Privacy Regime: What Tech Companies Need to Know,” we provide an overview of PIPL and DSL, and their impact on the technology industry, cross-border transfer of data and technology, and relevant data privacy compliance issues.
Media Module – Datasource Item: Chinas Privacy Regime What Tech Companies Need to Know
The digital transformation of business operations and consumer habits is escalating the amount of data collected, transferred, and shared. Laws and regulations are playing catch-up with the complex, fast-evolving environment of technology. In order to navigate and effectively comply with the labyrinthine data privacy landscape, entities should keep an eye on the latest enforcement actions, review the latest guidance documents interpreting laws and regulations, and incorporate emerging privacy and security best practices.